-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 14 Mar 2025 21:47:50 +0100 Source: opensaml Binary: libsaml-dev libsaml12 libsaml12-dbgsym opensaml-tools opensaml-tools-dbgsym Architecture: mipsel Version: 3.2.1-3+deb12u1 Distribution: bookworm-security Urgency: high Maintainer: mipsel Build Daemon (mipsel-osuosl-03) Changed-By: Ferenc Wágner Description: libsaml-dev - Security Assertion Markup Language library (development) libsaml12 - Security Assertion Markup Language library (runtime) opensaml-tools - Security Assertion Markup Language command-line tools Closes: 1100464 Changes: opensaml (3.2.1-3+deb12u1) bookworm-security; urgency=high . * [b3e86fd] New patch: CPPOST-126 - Simple signature verification fails to detect parameter smuggling. Security fix cherry-picked from v3.3.1 (upstream commit 22a610b322e2178abd03e97cdbc8fb50b45efaee). Parameter manipulation allows the forging of signed SAML messages ================================================================= A number of vulnerabilities in the OpenSAML library used by the Shibboleth Service Provider allowed for creative manipulation of parameters combined with reuse of the contents of older requests to fool the library's signature verification of non-XML based signed messages. Most uses of that feature involve very low or low impact use cases without critical security implications; however, there are two scenarios that are much more critical, one affecting the SP and one affecting some implementers who have implemented their own code on top of our OpenSAML library and done so improperly. The SP's support for the HTTP-POST-SimpleSign SAML binding for Single Sign-On responses is its critical vulnerability, and it is enabled by default (regardless of what one's published SAML metadata may advertise). The other critical case involves a mistake that does *not* impact the Shibboleth SP, allowing SSO to occur over the HTTP-Redirect binding contrary to the plain language of the SAML Browser SSO profile. The SP does not support this, but other implementers may have done so. Contrary to the initial publication of this advisory, there is no workaround within the SP configuration other than to remove the "SimpleSigning" security policy rule from the security-policy.xml file entirely. That will also prevent support of legitimate signed requests or responses via the HTTP-Redirect binding, which is generally used only for logout messages within the SP itself. Removing support for that binding in favor of HTTP-POST in any published metadata is an option of course. Full advisory: https://shibboleth.net/community/advisories/secadv_20250313.txt Thanks to Scott Cantor (Closes: #1100464) Checksums-Sha1: 783a35248537f7afa1cda693897a1c0aa5f30c09 42672 libsaml-dev_3.2.1-3+deb12u1_mipsel.deb fa261f04c671e938c7c44385709d67ef80f6521d 10003128 libsaml12-dbgsym_3.2.1-3+deb12u1_mipsel.deb 87dd815d012c84c541c494d4db1d89475746d44c 790720 libsaml12_3.2.1-3+deb12u1_mipsel.deb dfe9008de72d96cb0e052cb76ac30c83f7389be7 219788 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mipsel.deb 0d5384233747ea933e494af67fe72dbb8167cf8b 23992 opensaml-tools_3.2.1-3+deb12u1_mipsel.deb 5045e77fab8623d0e20b2e404ce02270e7666741 8477 opensaml_3.2.1-3+deb12u1_mipsel-buildd.buildinfo Checksums-Sha256: e73165cf318b895f42d47166bb1541c1ecbd46097849e3c3cacc04b8b526605c 42672 libsaml-dev_3.2.1-3+deb12u1_mipsel.deb 5aba85defa01c208532e09da9a67b3f82ee5cd093f88385d50bcd8b5903dddb5 10003128 libsaml12-dbgsym_3.2.1-3+deb12u1_mipsel.deb b13e5809cdb7ec7ede37fa4d74a7313c941e14974a69a9fdc42e8bad3744b26b 790720 libsaml12_3.2.1-3+deb12u1_mipsel.deb 433c85f10108f89d938c3792d9828422bbac014336dcbd6338a8664b47e8472b 219788 opensaml-tools-dbgsym_3.2.1-3+deb12u1_mipsel.deb 689abe293707703f66b5015b158b81fd6919e7673100186878d2cd940b483c50 23992 opensaml-tools_3.2.1-3+deb12u1_mipsel.deb 3309486f15399de6d53167c542ecb6ad6f360154274dd1a65d941d694620db8c 8477 opensaml_3.2.1-3+deb12u1_mipsel-buildd.buildinfo Files: 81e9d399ad63c9615de0f121b8878174 42672 libdevel optional libsaml-dev_3.2.1-3+deb12u1_mipsel.deb ab3933cd99ae6a8471776730410bdaa7 10003128 debug optional libsaml12-dbgsym_3.2.1-3+deb12u1_mipsel.deb b80fcd03c5ce0c48a072ad1c5eb78432 790720 libs optional libsaml12_3.2.1-3+deb12u1_mipsel.deb 60cb2afb3cc2e3504b2eeb2a86566315 219788 debug optional opensaml-tools-dbgsym_3.2.1-3+deb12u1_mipsel.deb 56ec5276f22fb54aeed839e051c3e946 23992 text optional opensaml-tools_3.2.1-3+deb12u1_mipsel.deb bd33889eda016a175000161fd039f135 8477 libs optional opensaml_3.2.1-3+deb12u1_mipsel-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEesE3YcWKZXIkRPMemf85J+x5/aoFAmfUvqkACgkQmf85J+x5 /aqdyQ//XJiRYCmCnC78Cp5IQ1d88+gfvW7+rt3yvWD6GOPZit5UvzhrnUGg6Ad6 iXYkd5pAHP1iKKGRmqRXs8plXzbEz/3NgxZhWAAIbskDYqi6gFDVsSL+EkfJd+/u kjrTERNVMz2mPewc554X3+tHXu4Wn6ZeZzkLpFZQA+kvhdUGpCPojx/7aX02LhOm VwVYvWFIZ0GFg1F0RMQt0xgc2Z7RpWrAE0pQrdz3LoVvdaLs8u/T0t9l1jSzgRrV Suj4DJ+F9Kkqfwl/6FhETxPh8zhg9fubOKNBdQQXg0a0IctFj5tn89fUFjPlBa7j Ohpq8BVqJFXEPg2S+eXFThU14wVJJMT3omwNs7YGn5iea9fbeQzDRRGS+qrWVrd7 b7bpDXoOnqaRGx6lmqavmMy4srChukQbzX1WMLAfR+gmgyCEwti5IpZTxjReoH+C Qca9h/41f6hgeQuNhKc3FXS5fMED5hKCac80tQ27CVMp0LEaaCNLSIgn28QOXSEE qaVSCiRVsqvvhDlKkOM3mont/DXREl+bD0weOF3n1/VdMTPstfhLFFCf0QAHhv7C gU7TJpQvFbDpmCdhIzP/4Q1vNbC9XTHhkcJ0dsBD1rOliRP79iajRHCy08OSqIQt my+5rzWm8ONsuwlR1LC0H1V24lxQUfYqUTzXApNCgj+XXoaK73c= =A2j6 -----END PGP SIGNATURE-----